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CI1APTKR  F 
introduction 

I’rohjciii  Pel  in  it  ion 

There  is  present ly  no  capability  to  process  compartmented  and 
collateral  intelligence  simultaneously  within  the  Army  Standard  System 
for  Intelligence  Support  Terminal  (ASSIST)  computer.  Hie  problem  is 
penetration,  accidental  or  deliberate,  of  compartmented  intelligence  data 
by  users  who  are  not  granted  the  appropriate  level  of  access.  Current 
security  control  measures  physically  disconnect  the  user  from  the  system 
at  the  intelligence  data  handling  site.  The  only  method  for  processing 
compartmented  intelligence  is  a segregated  mode  cf  operation.  For  the 
purpose  of  this  thesis,  the  Forces  Command  Intelligence  Grout)  (F0RS1G) 
site  located  at  Fort  Bragg,  North  Carolina,  will  be  examined. 

Secure  System 

A computer  system  is  secure  if  it  is  known  to  prevent  all  actions 
defined  as  unauthorized  by  security  specifications.  Penetration  studies 
conducted  by  the  Department  of  Defense  (DoD) , involving  several  different 
systems,  have  demonstrated  that  existing  shared,  general  purpose  systems 
arc  not  secure.  In  all  such  systems,  a malicious  user  can  construct  a 
program  that  can  defeat  the  access  constraints  supposedly  enforced  by  the 
system.  To  be  secure,  all  possible  ways  to  perform  unauthorized  actions 
must  be  blocked.  No  way  to  circumvent  the  protection  mechanism  can 
exist . 

Computer  Security  is  an  all-encompassing  term  which  includes 
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physical  aspects,  personnel,  admini  strati  on,  hardware,  communication,  and 
software.  Traditionally,  the  method  of  securing  the  computer  has  been 
to  remove  the  cut  i to  system  to  a protected  environment.  The  compart  - 
men  led  data  within  the  computer  has  been  afforded  the  same  protection  a> 
non  compu tori. ted  data.  Hie  \SSISI  resource  slut  ring  computer  systems, 
wherein'  the  computer  capabilities  and  components  arc  shared  by  many 
users  or  many  mbs,  have  compounded  the  security  problem  of  safeguarding 
compart  men ted  data.  Resource  sharing  allows  a number  of  users  to  inter- 
act within  the  computet  while  giving  each  user  a variety  of  options 
depending  on  the  capabilities.  The  more  user  capabilities  offered  by 
the  computer,  the  more  difficult  and  complex  arc  the  security  controls. 
Figure  1 is  a graphical  description  of  this  situation. 

This  figure  illustrates  that  users  with  limited  programming  capa- 
bilities within  a system  do  not  pose  as  serious  a security  problem  as 
users  with  unlimited  capabilities.  The  system  itself,  by  the  type  of 
accesses  and  processes  offered,  increases  the  difficulty  and  complexity 
of  t he-  security  controls. 

Hie  ASSIST  system  is  a remote  access  system  incorp°rat' mg  the 
capabilities  of  the  file  query  and  fixed  transaction  svstetns  shown  in 
Figure  I.  Therefore,  capabilities  offered  b>  ASSIST  do  not  require  the 
most  complex  security  controls,  as  would  a system  offering  greater  pro- 
gramming capabilities,  such  as  the  TYPI:  Ill  and  IV  systems  shown  in 
Figure  1. 

File  query  user  capabilities  of  ASSIST  enable  intelligence  ana- 
lysts at  the  intelligence  data  handling  sites  to  execute  only  limited 
application  programs.  The  analyst  does  not  have  the  capability  to  alter 
the  program,  although  the  capability  exists  to  couple  several  of  these 


User  Capabilities 
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progr.ams  together  ;iiul  inset  ! parameters  into  the  selected  programs. 

The  ASSIST's  fixed  ! ransact  ion  capability  allows  the  intelligence 
analysts  to  insert  parameters.  Programming  is  limited  to  input  language 
symbols  provided  by  tbe  ASS  Id  monitor  soltware.  The  symbols  are  not 
used  to  construct  an  internal  machine  langurge  program  that  can  subse 
quentlv  be  executed  upon  command  from  tbe  user.  Thus , the  user  does  not 
have  the  opportunity  to  obtain  control  of  the  computer  directly,  because 
he  is  buffered  from  it  by  t lie  interpretive  software. 

Mill  t i 1 cvcl  Sccur  1 tv 

Different  levels  cf  data  accesses  are  processed  at  the  intelli- 
gence data  handling  site.  Since  not  all  users  have  the  same  level  of 
access,  a multilevel  security  problem  is  created.  A multilevel  security 
mode  of  operation  provides  the  capability  of  various  levels  of  classifi- 
cations and  compartments  of  data  to  be  concurrently  stored  and  processed 
in  the  automatic  data  processing  fADP)  system.  In  the  ASSIST  remote 
access  system,  the  data  can  be  selectively  accessed  and  manipulated  from 
terminals  controlled  by  various  personnel  having  different  security  clear 
anccs  and  access  approvals. So  the  problem  associated  with  multilevel 
security  at  forces  Command  Intelligence  Croup  (l-ORSIC)  is  controlling 
those  users  who  do  not  have  the  appropriate  security  clearance  for 
access  to  the  system  when  compart men  ted  material  is  being  processed.  The 
multilevel  security  problem  may  not  he  completely  solved,  but  security 
controls  can  be  designed  to  bring  the  risk  to  an  acceptable  level. 

The  term  acceptable  risk  level  in  a multilevel  ADD  operation  is 
not  formally  defined  by  any  authority.  The  ADI’  Security  Manual  discusses 
implementation  of  a secure  resource-sharing  ADD  system  which  processes 
classified  data  so  that  with  reasonable  dependability,  accidental  or 
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del  i berate  penctr.it  ion  c;in  In-  prevented.^  'flic  term  reasonable  depend- 
ability indicates  t li.it  a certain  amount  of  risk  can  he  tolerated.  The 
Defense  Science  Board  Task  force  on  Computer  Security  stated  the  fol- 
lowing concerning  multilevel  utilization: 

Since  a complete  proof  of  protection  is  not  within  the  present 
state  of  the  art,.  . . it  is  recommended  that  the  system  designer  esti- 
mate the  probability  of  occurrence  of  a single  failure  or  the  com- 
bination of  failures  that  could  result  in  a disclosure  of  classi- 
licd  information.  Based  on  this  information,  the  Responsible 
Authority  can  determine  whether  the  risk  probability  is  acceptable 
or  not . * 

The  Defense  Science  Board  included  "special  caveat  information" 
f compart  men ted  intelligence)  in  its  discussion  on  multilevel  utiliza- 
tion.-’ ihc  Defense  Intelligence  Agency  Manual  states  that  "computer 
systems  require  multiple  security  measures  and  procedures  to  attain  an 
acceptable  level  of  security. 

The  ADP  Security  Manual,  the  Defense  Science  Board,  and  the 
Defense  Intelligence  Agency  Manual  on  Security  of  Compart men ted  Computer 
Operations  all  indicate  that  there  is,  at  some  point,  an  acceptable  risk 
level.  However,  the  Department  of  Defense  authorities  have  not  yet 
defined  controls  necessary  for  an  acceptable  risk  level  in  a multilevel 
ADD  operation. 

Purpose 

The  purpose  of  this  thesis  is  to  define  those  controls  necessarc 
in  a final  design  that  will  bring  the  risk  of  penetration  to  an  accept- 
able level.  The  design  will  be  determined  by  examining  the  current  state- 
of-the-art  of  security  control  measures  and  determining  their  application 
in  solving  the  multilevel  security  problem  at  the  ASSIST  intelligence 


data  handling  sites.  Through  this  examination  of  current  state-of-the- 
art  control  measures  and  existing  security  control  measures  in  force  at 


() 


the  intelligence  data  handling  sites,  ;i  system  of  controls  will  be 
described  that,  when  implemented,  wi 1 1 reduce  the  risk  of  penetration. 

A design  of  software  security  controls  for  the  1IH1S  RRSHi,  1'ort  Bragg, 
North  Carolina,  will  be  the  main  emphasis  of  this  thesis. 

Background 

ASSIST  was  designed  to  give  the  intelligence  analysts  a system 
that  provides  ready  access  to  all  data  in  intelligence  files  related  to 
their  needs.  ASSIST  supports  the  linking  of  Amy  intelligence  data 
handling  sites  and  allows  communications  with  other  Department  of  Defense 
(DoDj  systems.  Figure  2 depicts  ASSIST  sites  throughout  the  world  where 
analysts  can  interact  with  local  or  remote  intelligence  files  to  exchange 
data  with  other  analysts. 

Figure  3 shows  how  the  intelligence  analysts  interface  with 
Department  of  Defense  systems  and  other  ASSIST  sites.  The  World  Wide 
Military  Command  and  Control  System  (WWMCCS)  computer,  a dual  Honeywell 
6060,  is  located  in  the  Pentagon  and  is  used  for  ASSIST  host-support 
services  (remote  job  entry  and  time-share  access).  Communication  links 
from  the  intelligence  data  handling  sites  (IDIIS)  and  the  Assistant  Chief 
of  Staff  for  Intelligence  (ACSI)  provide  tne  interface  to  WWMCCS.  A 
switch  at  the  office  of  the  ACSI  permits  1D11S  access  to  Defense  Intelli- 
gence Agency  (DIA),  and  then  to  tie  Defense  telligcrce  Agency  On-Line 
Intelligence  System  (DIAOLS)  and  the  Community  On-Line  Intelligence 
System  (COINS). 

The  ASSIST  system  offers  a powerful,  user-oriented  ADD  base  for 
intelligence  data  handling  system's  analysts.  The  system  also  offers  a 
means  of  integrating  the  strategic  and  tactical  intelligence  analyst's 
problem  by  having  ASSIST  terminals  at  the  tactical  field  location  of  the 
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ASSISI'  Security  Requirements 

ASSISI  multilevel  security  requirements  can  be  categorized  as 

physical,  personnel,  communication,  hardware,  and  software.  Access  con 

trol  must  be  in  force  throughout  the  system.  Physical,  personnel,  and 

communication  access  controls  have  been  identified  in  current  Hoi)  regu- 

() 

lations,  and  will  not  be  discussed  in  detail  as  they  apply  to  MIS.* 

The  MIS  TORS  1(1  meets  these  requ i rements . 

Access  to  the  computer  from  t lie  terminals  has  to  be  controlled 
by  the  software  of  the  system.  Physical,  personnel,  and  communication 
security  controls  are  currently  accepted  by  I ) I A as  secure  in  the  handling 
of  compa rtmented  and  collateral  material,  concurrently  in  a manual  sys- 
tem. These  same  controls  are  also  applied  in  an  ADP  system.  Software 
controls  in  an  automated  system  can  replace  the  Special  Security  Officer 
who  is  used  to  insure  security  in  a manual  system.  The  necessary  soft- 
ware security  controls  have  not  been  identified  by  any  DoD  authority. 


So f t wa  re  Secu r i ty 

Software  security  controls  insure  that  the  security  constraints 
placed  on  the  system  are  enforced. 

The  systems  designer  contributes  to  security  by  capitalizing 
on  the  facilities  of  the  computing  systems  in  order  to  augment 
the  external  manual  procedure.  Specifically,  he  can  design  and 
program  more  elaborate,  more  precise,  and  more  consistent  controls 
over  selective  access  to  sensitive  data.  These  controls,  coupled 
with  personnel,  procedural  and  physical  measures  taken  by  data- 
p roccs sing- opera t ions  management  can  significantly  reduce  an  organi- 
zation's exposure  to  potential  data  security  problems.10 

Software  control  measures  can  lie  grouped  into  four  areas:  access, 


input/output,  residual,  and  audit  trail,  bach  control  measure  is  a 
separate  area  or  control  point  which  works  together  with  the  others  to 


1(1 

reduce  the  risk  of  penet  rat  mn . 

I lie  emphasis  in  .ill  imil  t i I eve  I sennit'.  tiulic  is  the  reiogni 
tii'ii  i>l  the  i ise  i ,iiul  1 1 i s .nil  hon  ..it  K'll  level.  "Once  .1  user  1 iiluili 
lied,  the  system  must  determine  what  lie  is  nut  ho  i zed  to  do.  lie  may  he 
authorized  to  use  some  programs  or  functions,  hut  not  all."**  lenninal 
identity  is  of'  equal  importance  tc.  user  identity  at  the  intelligence 
data  handling  site,  for  it  is  the  location  of  the  terminal  that  governs 
its  authorization  level. 

When  the  aser/ terminal  is  properly  identified,  security  flags 
I ithorization  code)  established  by  software  will  accompany  each  request 
foi  data.  The  security  flags  will  determine  what  data  the  user  and/or 
terminal  . re  authorized  input /out put . The  user  and/or  terminal  identifi- 
cation/location  controls  the  input/output  authorization. 

After  the  user  has  concluded  his  transaction  or  query,  main 
memory  or  peripheral  devices  contain  residual  data  not  intended  for  use 
outside  the  context  of  the  process.  This  residual  data  is  a potential 
security  hazard  unless  it  is  erased  to  prevent  unauthorized  users' 
access. 

The  software  technique  used  to  verify  that  the  system  is  operat- 
ing, correctly  is  the  audit  trail,  a system  of  logs  that  record  how,  what, 
when,  and  where  a user  interacts  with  the  system. 

The  design  of  the  software  controls  will  he  examined  in  Chapter 
II.  Chapter  III  will  examine  IDilS  at  FORSIG  and  how  the  designed  con 
trols  reduce  the  risk  of  penetration. 


CHAPTER  II 


EXAMINATION'  Ol  RELATED  Eli'ERATURE  AND  DISCUSSION 


Int  nxluct  ion 

This  chapter  examines  state-of-the-art  software  security  con- 
trols. The  literature  that  was  examined  discussed  security  requirements 
in  a multilevel  system.  None  of  the  literature  dealt  with  compartmentcd 
intelligence,  although  the  systems  did  deal  with  varying  levels  of  classi- 
fication. Compartmentcd  intelligence  "includes  onlv  that  intelligence 
material  having  special  controls  indicating  restrictive  handling  for 
wh  ch  systems  of  compartmentat ion  or  handling  arc  formally  established."* 
The  term  classification  refers  to  the  three  levels  defined  by  DoD  as 
top  secret,  secret,  and  confidential.  Compartmentcd  intelligence  is 
classified  data  with  special  caveats  and  a need  to  know.  Collateral 
intelligence  is  all  other  intelligence  classified  without  special  caveats. 

'hilt i level  systems  deal  with  various  levels  of  authorization 
determined  by  levels  of  access  given  individuals  or  terminals.  This 
thesis  treats  compartmentcd  data  as  just  another  level  of  access,  which 
is  governed  by  special  access  privileges  to  those  individuals  and/or 

I T 

facilities  meeting  stated  DoD  criteria. 

Software  security  design  is  developed  from  an  examination  of 
existing  studies  devoted  to  multilevel  security.  The  software  security 
control  design,  as  proposed  in  the  following  paragraph,  are  for  the 
KIRS  I C.  I IH  IS  facility  and  may  or  may  not  have  application  to  other  systems 
or  ASSIST  sites. 

1 1 
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ASSIST  Software  Security  Control  Designs 

The  choice  ol  applicable  software  security  controls  for  the 
ASSIST  intelligence  Data  handling  sites  is  based  upon  the  selection  of 
techniques  that  provide  proper  protection  of  compart men ted  data  from 
uncleared  users.  The  Defense  Science  Board  Task  force  on  Computer 
Security,  in  discussing  automation  of  a multilevel  security  system, 
described  the  following  operating  environmental  features: 

Integrity  for  both  itself  and  the  security  system;  multipro- 
gramming or  on-line,  interactive  capability;  a basic  file  system; 
protection  (read,  write,  and  execute)  for  users  from  each  other; 
a secure  method  of  identifying  and  authenticating  users;  an  inter- 
lace with  the  security  system  that  permits  input/output  for  any 
user  only  after  authorization  by  the  security  system.^ 

The  following  is  a list  of  controls  that  have  been  identified  as 
system's  design  requirements  to  reduce  the  risk  of  penetration. ^ Each 
category  of  controls  will  be  discussed  in  a later  section. 


Access  Controls 

1.  Identify  correctly  the  terminal  in  relationship  to  the  transaction 
and/or  query  authorization. 

2.  Identify  correctly  the  user  in  relationship  to  the  transaction  and/ 
or  query  authorization. 

3.  Recognize  repeated  attempts  to  gain  entry. 

4.  Prevent  changes  or  modifications  in  fixed  transaction  key  words. 

5.  Insure  user  ability  to  request  transactions  or  queries. 

(>.  Recognize  repeated  errors  in  transactions  or  queries. 

7.  Protect  the  user's  process  from  interfering  with  other  user  results. 

8.  Restrict  access  to  files  resulting  from  queries  by  the  originator  or 
other  identified  user. 

9.  Disconnect  (log  out)  terminals  by  means  other  than  physical 
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disconnection  alter  a specific  period  of  inactivity. 

Establish  the  access  rights  of  both  the  user  and  terminal. 

11.  Deny  I he  request  for  ilata  at  a higher  level  of  access  than  authorized 
for  user  or  terminal. 

12.  Recognize  requested  data's  classification  in  transactions  or  queries. 
Input/Output  Controls 

1.  Determine  originator  and  location  of  a transaction  or  query  request. 

2.  Determine  classification  of  the  file  resulting  from  a query'. 

7>.  Control  the  release  of  files  resulting  from  queries. 

1.  Identify  specific  terminal  addresses. 

T>.  Control  routing  of  information. 

().  Display  the  classification  of  hard-copy  or  screen  output. 

7.  Assign  highest  level  of  classification  to  a composite  data  request. 

8.  Assign  classification  to  individual  data  elements. 

Residual  Control 

Obscure  classified  data  after  process  is  complete. 

Audit  frail 

1.  Alert  control  group  if  illegal  terminal  entries  arc  made  or  attempted. 

2.  Trace  entire  messages  to  originating  terminal. 

3.  Monitor  the  extent  of  activity  at  remote  terminals. 

4.  Determine  and  log  all  requests  for  compartmented  data. 

5.  Insure  constant  internal  checks  to  insure  correct  software  and 
ha rdwa re  func  t i ons . 

Hie  characteristics  listed  above  were  extracted  from  existing 
systems  and  from  research  on  proposed  systems.  Further,  literature 
related  to  multilevel  security  and  fixed  transact ion/free  form  query 
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systems  with  remote  terminals  that  process  mixed  classification  data  was 
also  examined.'*'  It  is  recognized  that  implementation  of  software 
security  techniques  may  he  very  expensive,  but  all  arc  considered  neces- 
sary to  reduce  the  risk  of  penetration. 

Discussion  of  ASSIST  So  f t wa re  Con t ro 1 lies i gns 

ITie  discussion  of  software  controls  describes  preventive  action 
the  software  will  encompass.  Software  controls  prevent  users,  without 
the  proper  level  of  access,  from  gaining  access  to  compartmented  data. 

Access  Controls.  The  location  of  the  terminal  and  its  proper 
identification  is  one  of  the  most  important  controls.  Hie  identification 
of  the  terminal  location  dictates  the  level  of  access  authorized.  This 
identification  should  be  automatic,  which  is  possible  because  of  direct 
communication  lines  between  the  terminal  and  the  computer.  This  auto- 
matic identification,  accomplished  when  the  terminal  is  turned  on,  would 
verify  the  terminal  authorization  as  established  in  the  terminal  profile 
table.  As  a double  check  on  the  system,  a manual  identification  should 
also  be  used.  The  identification  would  be  accomplished  by  the  user 
entering  a predetermined  code  with  t he  log-on  procedure. 

The  user  access  authorization  is  accomplished  as  the  user  logs-on 
hy  use  of  a password,  which  is  compared  to  a profile  table  listing  the 
level  of  authorized  access.  Hie  password  also  indicates  the  file  func- 
tions (read,  write,  or  execute)  allowed  the  user.  When  this  ability  to 
recognize  errors  in  passwords  or  processes  identifies  possible  unauthor- 
ized .access  attempts,  the  terminal  should  be  automatically  disconnected 
from  the  system.  The  system  security  officer  (SSO)  should  then  be  noti- 
fied and  be  allowed  to  determine  the  reason  for  the  error  before  allowing 
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the  terminal's  reconnection.  The  disconnection  process  would  he  a soft- 
ware lockout  requiring  the  SSO  to  exercise  privileged  instructions  for 
release.  Correct  instructions  to  each  user  will  assist  in  preventing 
false  alarms. 

The  protection  of  user's  process  and  access  to  files  from  other 
users  is  controlled  by  bounds  controls,  bach  user  is  assigned  memory 
space  by  software  and  each  memory  reference  is  tested  to  he  sure  it  falls 
within  the  bounds.  "Memory  space  is  further  protected  by  the  user's 

inability  to  generate  addresses  that  arc  outside  their  own  assigned 
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memory  space. 

The  profiles  and  lists  arc  the  stated  access  authorization 
levels  to  all  entries  and  processes  in  the  computer.  The  following  pro- 
files and  lists  arc  needed  to  insure  segregation  of  compart men tod  data 
from  users  not  authorized  the  stated  access  level: 

1.  User  and  terminal  access  privilege. 

2.  File  access  list  (who  is  authorized  entry). 

3.  File  access  profile  (what  function  user  is  authorized). 

4.  Data  element  profile  (classification  level). 

All  access  control  profiles  and  lists  must  be  afforded  tamper-proof  pro- 
tection to  preserve  the  integrity  of  the  system. 

Input/Output  Controls  (1/0).  "As  data  is  entering  and  leaving 
the  system,  the  security  control  information  (classification  and  cate- 
gories) associated  with  it  must  be  transmitted  as  well  as  the  data 

itself;  and  for  some  I/O  devices  there  may  be  a maximum  data  classifica- 
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tion  and  categories." 

The  input/output  controls  described  above  could  be  implemented 
easily  with  hardware.  The  controls  are  not  implemented  on  the  PDP  11/45 
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compilin'  which  is  located  .il  FORSIb.  I lu  is  , I lie  "referei  ■ uionitm 

wh  i cl  1 validates  all  input/oiit  put  authorizations,  must  be  implemented 
pi 

with  software.  The  system  notifies  the  user  of  Ins  classification 
level  and  prevents  a terminal  from  receiving  or  sending  data  higher  that 
authorized.  For  each  transaction  or  query,  the  software  checks  the 
access  rights  m the  terminal  and  user  profile  tables  before  performing 
the  operation.  After  the  operation  is  completed,  the  data  classification/ 
category  is  checked  against  the  terminal  and  user  profile  tables  to 
insure  authorization  level  before  any  output  occurs. 

Residual  Controls.  All  magnetic  recording  devices  retain  an 
electromagnetic  image  of  the  recorded  data  after  the  initial  impression. 
Since  both  primary  and  secondary  storage  in  most  on-line  multiuser  sys- 
tems are  used  repeatedly,  it  is  possible  that  an  area  could  have  stored 
compartmcnted  data  that  could  be  assigned  to  a user  not  authorized  access. 
To  prevent  this  from  happening,  the  software  overwrites  memory  space  after 
it  is  deallocated.  Properly  functioning  I/O  controls  would  not  allow 
this  data  to  exit  the  system  to  a terminal  not  authorized  access.  All 
controls  function  together  to  form  a secure  system.  A method  to  insure 
that  all  these  controls  function  properly  is  the  audit  trail. 

Audit  Trail.  The  audit  trail  is  a series  of  logs  that  record  all 
transactions  and  queries  within  the  system.  The  audit  trail  is  an  after- 
the-fact  review  by  the  SSO  to  determine  what  actions  have  transpired 
which  affect  the  security  operation  of  the  system.  Table  l is  a list  of 
automatic  logs  and  their  contents. 

Another  method  of  proving  the  security  of  a system  is  a security 
verification  program.  This  program  provides  a continuous  check  on  the 
security  of  the  system's  operations.  Actual  responses  arc  compared  to 


TABLE  1 

1 . SYSTEM  ACCESS  LOG 

a.  MODE  OF  ENTRY  (HIE,  TIME  SHARING,  OR  BATCH) 

b.  IDENTIFICATION  OF  TERMINAL 
r.  IDENTIFICATION  OF  USER 

(1.  TIME/ DATE  BLOCK 

р.  TIME  USED 

f.  I/O  DEVICE  DEDICATION 

2.  FILE  USAGE  LOG  PROTECTED 

a.  RECORD  OF  OPEN  FILE  AND  CLOSE  FILE 

b.  IDENTIFICATION  OF  USER  ACCESSING  FILE 

с.  ACTIVITY  TAKEN  A GAINS I FILE  (READ,  WRITE,  MODIFY, 
EXECUTE,  ETC.) 

d.  1 DENT 1ET CAT I ON  OF  TERMINAL  ACCESSING  FILE 

i.  SUSPECTED  VIOLATIONS  LOG 

a.  TYPE  OI-  SUSPECTED  V10IATT0N 

b.  IDENTIFICATION  OF  TERMINAL 

c . IDENTIFICATION  OF  USER 
(1.  ACTION  TAKEN* 

e.  DATE/TIME  BLOCK 

A.  TRANSMISSION  LOG 

a.  IDENTIFICATION  OF  TERMINAL  RECEIVING/ ACKNOWLEDGEMENT 

b.  IDENTIFICATION  OF  USER  REQUEST 

c.  IDENTIFICATION  OF  FILES  INVOLVED 

d.  DATE/TIME  BLOCK 

р.  IDENTIFICATION  OF  COMMUN 1 CATION  PORT/LINE 
5.  SECONDARY  STORAGE  LOG 

a.  RECORDED  ARIA  OF  MEMORY  A SlGNMENT  BY  CIA  SSI  FT  CAT I ON 

b.  TIME  AREA  DEDICATED 

с.  TIME  ARIA  RELEASED 
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known  ituii'<i  1 1 • ,|  <«  >n  • . in  vrnlv  ih.il  I hr  ■ vstem  is  performing  prop<ilv 

litis  t vpe  ni  program  need1,  to  In  updnted  period  ien  1 ly  to  continually 
test  the  system. 

To  insure  security,  softw.ire  controls  have  to  he  implemented  in 
a way  to  make  them  tamper  proof.  The  most  appropriate  vehicle  for 
tamper  proof  implementation  is  the  security  kernel. 


Secur  i tv  Ke me  1 

A security  kernel  is  a protected  core  of  software  whose  correct 
operation  is  sufficient  to  guarantee  enforcement  of  constraints  on  access, 
and  is  the  basis  for  a secure  system.  "All  protection  mechanisms  are 
collected  in  the  kernel,  so  that  only  this  kernel  need  be  considered  in 
order  to  verify  that  the  spec i lied  security  properties  are  implemented 
correct ly."21 

A characterization  of  the  mechanism  that  should  be  included 
in  a security  kernel  can  be  obtained  by  viewing  the  security 
specification  as  a set  of  constraints  on  the  interaction  of  the 
various  computations  that  occur  in  a computer  system,  lire  pro- 
tection mechanisms  of  the  system  prevent  one  computation  from 
exerting  an  unauthorized  influence  on  the  input,  progress,  or 
output  of  another.  Permanently  stored  data  is  one  form  of  the 
input  and  output  of  computations. 22 

by  viewing  the  entire  security  requirements  of  the  system,  it  can 
be  said  that  three  principles  must  exist  with  the  security  kernel.  First, 
the  kernel  must  be  tamper  proof;  second,  it  must  always  be  invoked;  and 
third,  it  must  be  small  enough  to  be  subject  to  analysis  and  testing  to 
assure  correctness 

The  tamper-proof  condition  is  essential.  If  the  kernel's  soft- 
ware can  be  altered  either  by  programming  or  manually,  its  integrity 
cannot  be  guaranteed;  thus,  there  is  no  security  certification." 


liic  continuous  invocation  of  tlu1  kernel  in  all  accesses,  fixed 


transactions,  <|iiei  i<-s,  . iih  I i npnt /out  put  , in  the  heart  ol  the  security 
feature.  This  v hi  lie  u comp  I i shed  In  a iclcreiicc  monitor  v.i  I i < 1 . 1 1 or  wlih  li 
x.iiul.itcs  .ill  rvl'erences  (to  programs,  data,  tiles,  input/output,  etc.) 
made  In-  programs  in  execution  against  those  authorized  for  the  user  and 
or  remote  terminal.  The  reference  monitor  validator  not  only  assures 
that  the  references  are  authorized  to  share  resources,  hut  also  that  the 
reference  is  the  proper  kind  (i.c.  read/wri te/execute) . If  the  kernel 
is  not  invoked  on  each  transaction,  then  again,  security  cannot  he  guar- 
anteed."'’ 

Finally,  the  condition  that  the  kernel  must  he  small  enough  to 
logically  demonstrate  that  it  is  complete,  faithful  to  the  secuii;> 
designs,  and  correctly  implemented,  is  another  way  rf  saying  it  mist  he 
capable  of  enforcing  stated  security  constraints  on  access  to  information 
in  the  system.  Being  proven  correct  must  he  a continuous  procedure. 

One  method  currently  in  use  hy  the  Defense  Intelligence  Agency 
is  an  on-line  security  monitor  that  performs  not  only  software  checks, 
hut  also  hardware  checks,  to  insure  security  related  controls  arc  working. 
"The  program  size  of  tne  monotor  is  2,000  words.  110,000  hardware 

1 *7 

checks  and  10,000  software  checks  are  performed  during  each  shift."" 

This  type  of  chock  helps  to  detect  software  and  hardware  failure,  so 
— - deficiencies  can  he  corrected. 

The  security  kernel  design  incorporates  the  reference  monitor 
validator,  access  control  (to  the  system),  and  authorization  mechanism. 
Further,  it  will  prohahly  incorporate  the  administrative  programs  to 
represent  and  maintain  user  and  program  authorizations,  lhe  kernel  is 
visualized  as  the  center  for  software  security  controls.  The  electronic 
System  Division  Computer  Security  Panel  identified  the  concept  of  a 
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iv lerence  monitoi  i ml  scnmiv  kernel  as  fundament a 1 to  ;i  secure  com 
[inter  <>vtem. 

The  kernel  should  .ilsn  allow  veil  I i<  it  ion  through  formal  tech- 
niques. Hie  kernel  will  uilnne  iiueis  const  mints  that  combine  the  v 
trnls  rel  leet  m>’,  the  infoni.it  ion  rele.i-v  policies  of  the  military  secur- 
ity system  and  t hi*  control  on  ml  orm.it  ion  sharing  w i thin  the'  ASSIST 
system.  fhe  broad  constraint  on  tin  \ ' I s | system  is  to  allow  multi- 
users  to  process  and  not  illow  *ui|  utnented  intelligence  data  to  be 
transmitted  to  users  not  granted  tli  ippropriatc  access.  Tire  kernel’s 
unctions  consist  of: 

a.  Identifying  and  out  bent  ii at  mg  each  user/terminal  requesting 
to  access  and  process  classilied  and/or  . omp.n  t merited  data. 

b.  Insuring  that  the  common ieat ion  ol  security  authorization  of 
user  and  terminal  is  transmitted  with  each  transaction  or  query  request. 

c.  Insuring  that  compart men ted  intelligence  output  is  trans- 
mitted only  to  those  devices  authorised  to  receive  compartmentcd  intel- 
1 igence. 

d.  Monitoring  and  requesting  job  termination  when  abnormal  con- 
d i t i ons  arise. 

To  accomplish  its  functions,  the  kernel  must  have  a segregated, 
controlled  area  within  central  memory  that  controls  access  to  tne  kernel's 
software  and  makes  it  tamper  proof. 

The  Multics  Corporation  has  developed  a prototype  security 
kernel  and  imp  1 emeu ted  it  on  the  Digital  equipment  I’DP  11/45  hardware. 

Hie  l’DI’  11/45  is  t lie  heart  of  the  intelligence  data  handling  site  at 
TORSI G. 

In  order  to  he  efficient  in  a general  purpose  system,  it  does 
require  hardware  support.  You  could  do  it  with  software,  but  it 


would  not  l>e  elficicnt.  And  again  the  primary  hardware  character 
istic  we  find  necessary  for  the  efficient  implementation  of  the 
kernel  is  t he  segmented  virtual  memory  with  independent  access 
rights  jx'r  segment  and  at  least  three  machine  states  or  security 
domains.  In  the  case  of  the  PDP  11/4S,  instead  of  just  having 
a master  and  a slave,  they  have  a kernel  mode,  a supervisor  mode, 
and  a user  mode.  It  is  the  existence  of  those  three  states  that 
allows  us  to  implement  the  kernel  mode. 


Summa 

This  chapter  has  examined  software  controls  needed  at  the  FORSIG 
intelligence  data  handling  site.  It  also  described  the  security  kernel 
;uid  the  important  role  it  plays  in  reducing  the  risk  of  penetration  to 
in  acceptable  level.  The  penetration  risk  associated  with  the  I DUS  at 
FORSIG  and  how  software  controls  counter  that  risk  are  examined  in 
Chapter  III. 
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Introduction 

Risk  assessment  is  a difficult  task.  The  only  logical  method  is 
to  identify  all  possible  weaknesses  in  a system  and  to  design  a control 
to  counteract  tliat  weakness.  The  environment  surrounding  the  ASSIST 
intcll ;gence  data  handling  site  FORSIG  must  be  examined  to  determine  its 
weak  points.  This  chapter  examines  the  environment,  the  penetration 
risk,  and  the  method  controls  either  in  force  or  in  design  to  reduce  the 
risk  of  penetration. 

11)1  IS  F.nvironment 

The  ASSIST  system  at  FORSIG  has  three  separate  facilities,  all 
connected  to  each  other,  which  form  the  intelligence  handling  system. 
Figure  4 depicts  the  ASSIST  configuration  at  FORSIG.  Terminals  are 
located  at  three  separate  facilities:  the  intelligence  data  handling 

site,  the  special  activities  office,  and  the  FORSIG  headquarters.  The 
equipment  available  to  the  analysts  is  the  cathode-ray  tube  (CRT)  and 
teletype  (TIT)  input/output  devices.  The  CRT  does  not  produce  a hard 
copy  and  is  used  primarily  to  input  data  and  update  the  onsite  files  and 
other  processes  not  requiring  a hard  copy.  The  7TY  is  used  when  the 
analyst  does  desire  a hard  copy.  Those  I/O  devices  allow  the  analysts 
to  accomplish  the  following: 

1.  Manage  local  files. 

2.  Transmit  messages,  inter-intra  sites. 
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7>.  Invoke  operation  of  application  programs  at  the  IDIIS. 

4.  Interact  with  GAGS  I host  computer  for  remote  job  entries  and 
t i me  sharing. 

5.  Transmit  files  between  ASSIST  sites. 

b.  Transmit  and  receive  data  between  the  analyst  and  OTA. 

All  three  facilities  are  connected  by  encrypted  lines  to  the  computer 
located  in  the  intelligence  data  handling  system  site. 

The  facilities  of  the  special  activities  office  and  the  intel- 
ligence data  handling  site  are  accredited  to  process  and  store  compart - 
mei  id  intelligence.  The  FORSIG  headquarters  terminals  are  located  in 
an  adjacent  vault  constructed  to  physical  specifications  to  allow  process- 
ing and  storing  of  compartmented  intelligence  standards,  but  is  not 
accredited  to  do  so.  Accrediting  the  facility  and  using  it  for  compart- 
mented  operations  would  eliminate  those  analysts  not  appropriately 
cleared  to  receive  such  data. 

The  FORSIG  headquarters , which  is  not  accredited  to  receive  com- 
partmented  intelligence,  is  the  location  that  does  the  most  processing. 

It  is  also  this  site  where  the  problem  of  multilevel  security  exists, 
since  the  other  sites  are  cleared  for  the  compartmented  level. 

This  multilevel  security  problem  is  currently  being  solved  by 
processing  data  in  a 'system  high  mode',  whereby  all  the  data  are  con- 
trolled in  accordance  with  the  highest  classification  or  category  level 
being  processed  in  the  system  at  the  time.  There  are  manual  provisions 
to  raise  or  lower  the  security  level  and  also  extract  material  at  a lower 
classification.  Users  located  at  the  FORSIG  headquarters  are  physically 
disconnected  from  the  system  during  the  time  compartmented  intelligence 
is  being  processed.  The  set  procedures  utilized  for  raising  and  lowering 
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the  system  openiting  level  nre  those  listed  by  the  Defense  Science  Task 
Force  on  Computer  Security  for  a segregated  mode  of  operation.  This  dis- 
connection creates  a problem,  however,  since  approximately  75  percent  of 
the  analysts  are  disconnected  from  t lie  system  for  periods  that  result  in 
the  1 oss  of  both  time  and  manpower. 

Currently,  compartment ed  data  is  being  processed  two  days  of  the 
week.  Because  files  are  not  being  updated  in  a timely  manner,  this  is 
an  unsatisfactory  practice.  As  other  ASSIST  sites  become  operational, 
a heavier  demand  will  be  placed  on  the  system  to  process  compartmented 
d La. 

There  are  two  possible  solutions.  One  is  to  upgrade  the  F0RS1G 
headquarters  vault  to  t lie  compartmented  intelligence  level.  Such  action 
would  mean  that  analysts  who  are  not  cleared  for  compartment ed  intelli- 
gence would  be  denied  access  to  the  terminals  and  to  that  particular 
facility.  It  would  also  increase  the  work  load  of  the  special  security 
officer  who  must  screen  all  material  leaving  his  control  to  insure  that 
no  compartmented  intelligence  material  is  compromised.  All  personnel 
working  in  the  FORSIG  headquarters  have  a minimum  of  a secret  clearance 
/ and  approximately  twenty  (20)  percent  have  a compartmented  intelligence 

clearance.  Because  all  analysts  are  not  clearable,  and  the  clearance 
procedure  normally  requires  six  months  after  the  initiation  of  paperwork, 
facility  upgrading  would  limit  available  analysts'  time  and  manpower. 

The  second  possible  solution  would  be  to  implement  software 
security  controls  that  would  allow  both  the  collateral  and  compartmented 
intelligence  data  to  be  processed  at  the  same  time.  Mien  implemented, 
this  would  eliminate  loss  of  time  and  manpower  and  make  the  computer 
available  to  all  the  analysts  regardless  of  clearance. 
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Contrasting  the  two  solutions,  the  first  would  appear  to  be 
better  because  of  ease  in  implementation.  Of  the  75  percent  of  the 
analysts  located  in  the  TORS1G  headquarters,  only  20  percent  are  appro- 
priately cleared  to  process  compartmented  intelligence,  causing  a dis- 
advantage, by  losing  approximately  55  percent  of  the  total  analysts 
available  foi  processing.  The  current  method  eliminates  the  uncleared 
personnel  two  of  the  five  working  days,  or  40  percent  of  the  time.  Per- 
sonnel turnover,  lack  of  qualification  by  some  users  to  qualify  for 
access  tc  compartmented  intelligence,  and  lengthy  clearance  procedures 
nv  ' j upgrading  the  facility  unsatisfactory. 

The  POPSIG  intelligence  data-handl ing  system's  operations  can 
be  sunmarized  by  the  following: 

a.  System's  use --multi level  (fixed  transaction  and  free  form 

query) . 

b.  User  environment- -physical  protection  of  terminals,  controlled 
access  to  terminals,  and  protection  of  communication  lines  with  crypto- 
graphic techniques. 

c.  Threat --del i berate  and  accidental  penetration. 

d.  Authorization-collateral  and  compartmented. 

1UUS  Penetration  Ana lysis 

Penetration  of  the  ASSIST  system  would  be  by  extraction  of  data 
from  the  facility  or  the  system  by  unauthorized  persons.  Penetration 
can  be  deliberate  or  accidental.  Deliberate  penetration  occurs  when  a 
person,  not  authorized  access  to  restricted  data,  makes  an  attempt  to 
receive  it.  Accidental  penetration  occurs  when  the  system,  for  various 
reasons,  fails  in  the  security  constraints  it  is  designed  to  enforce. 
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Pol  i l>er;i  1c  Penetration.  Due  to  secure  communication  lines  and 
physical  protection  afforded  remote  terminals,  it  would  be  highly  improb- 
able for  a deliberate  penetration  to  be  accomplished  by  an  unauthorized 
user.  "-Hie  installation  of  secure  comnnuiication  links  for  all  terminals 
on  the  system  effectively  prevents  any  external  penetration  attack,  and 
forces  a penetration  agency  to  seek  an  alternate  method. 

The  secure  communication  links  protect  only  from  an  external 
source.  An  attack  could  be  mounted  from  within,  from  an  authorized 
terminal.  The  physical  protection,  alarm  systems,  and  the  access  control 
b tlx;  terminals  significantly  reduce  the  risk  of  an  unauthorized  user 
gaining  access  to  the  terminal . 

The  degree  of  threat  posed  by  an  authorized  user  is  directly 
related  to  the  number  of  security  controls  he  must  bypass  or  render  inop- 
erative, and  once  inside,  the  amount  of  programming  he  can  do.  The 
ASSIST  system  at  the  intelligence  data  handling  sites  is  a fixed  trans- 
action/ free  form  query  system  as  discussed  in  Chapter  I.  The  user  capa- 
bility affecting  the  operation  of  the  system  is  limited  by  the  intrinsic 
capability  of  the  tools  he  can  use.  Properly  operating  software  and 
hardware  within  ASSIST  do  not  provide  the  user  with  sufficient  tools  to 
take  control  of  the  system.  The  intruder  cannot  attack  the  system  with 
his  own  program. 

The  user  may  be  able  to  gain  unauthorized  access  to  compartmentcd 
data  by  probing  the  system  for  weak  points  caused  by  errors  or  logic 
oversights.  Trap  doors  are  created  by  support  personnel  that  allow  cir- 
cumvention of  security  techniques  in  the  programming  and  operating  sys- 
tems supporting  the  application,  ilie  security  threat  posed  by  this  type 
of  operation  depends  on  whether  the  application  is  designed  in  such  a 


w.iy  as  to  assure  that  each  user  is  fully  controlled  in  all  actions  he  may 
take  on  the  system.  It  is  therefore,  imperative  that  both  the  applica- 
tion prop. rams  and  operating  systems  for  the  supporting  hardware  be  imple- 
mented by  appropriately  cleared  personnel.  This  action  should  prevent 
the  possible  inclusion  of  trap  doors. 

Because  the  ASSIST  system  has  been  implemented  by  appropriately 
cleared  personnel,  the  probability  of  a deliberate  threat  from  outside 
the  system  is  considered  small.  'Hie  fact  that  all  users  have  at  least  a 
secret  clearance  reduces  the  probability  of  a deliberate  threat  from 
w: .nin,  though  not  eliminating  the  possibility. 

Contrasted  to  deliberate  penetration,  accidental  penetration  is 
a problem.  The  next  section  will  discuss  this  possibility  and  the  con- 
trols suggested  to  counter  it,  as  well  as  an  inside  deliberate  threat. 

Accidental  Penetration.  A failure  of  software  or  hardware  con- 
trols could  result  in  an  exposure  of  information  within  the  system.  Such 
failures  can  involve  the  coupling  of  information  from  one  user  with  that 
of  another  user.  Software  failure  can  render  files  or  programs  unusable, 
defeat  or  circumvent  the  security  measures,  or  change,  unintendedly , the 
security  status  of  users , fi les,  or  terminals.  'Hie  Hughes  study  discussed 
hardware  failure  for  all  post- 1975  systems. 

The  probability  that  an  unintentional  release  of  data  due  to 
hardware  failure  will  occur  is  less  than  the  hardware  mean  time 
between  failures  (NTTBP)  because  parity  check  circuits  will  detect 
some  circuit  failures  and  others  will  not  result  in  data  release. ” 

Risk  of  software  failure  can  he  greatly  reduced  by  carefully 
correcting  errors  and  certifying  the  programs  before  implementation. 
Accidental  disclosures  may  also  occur  by  improper  actions  of  machine 
operations  in  routing  without  deliberate  intent.  Anderson,  in  his 


i nmptif  rr  •■eiiirif\  coil  t i o I s I ik1)’  s l.ilctl: 


. . . that  the  actual  risk  of  classified  information  being 
made  available  to  unauthorized  persons  due  to  misroutc  is  quite 
small,  and  then  only  if  the  unclassified  lines  are  continuously 
passively  monitored  for  the  eventuality.  Note  that  the  statement 
above  does  not  suggest  that  misroute  will  not  occur,  only  that 
its  effect  in  an  open-secure  system  is  greatly  exaggerated. ^2 

The  software  controls  in  Chapter  II  are  designed  to  reduce  the 
probability  of  accidental  penetration.  Deliberate  penetration  Prom  out- 
side the  system  is  already  an  acceptable  risk  level.  As  previously 
stated,  physical,  communication,  administration,  and  personnel  controls 
air  'uly  meet  stated  DoD  criteria.  Personnel  controls  apply  to  only  those 
individuals  who  have  access  to  compartmented  data. 

The  preceding  sections  have  discussed  the  TIH'S  environment  and 
have  evaluated  the  risk.  The  comparison  of  the  manual  versus  the  auto- 
mated security  checks  will  aid  in  determining  an  acceptable  risk  level. 
Manual  provisions  are  currently  acceptable  as  secure  in  storing  and 
processing  compartmented  intelligence. 

Manila  1 / Ai itoma t ed  Procedura  1 Comparison 

This  comparison  will  provide  a method  to  judge  the  relative 
value  of  automated  techniques.  This  section  will  discuss  those  techniques 
that  arc  common  to  both  types  of  systems,  and  those  that  are  analogous. 

In  both  systems,  procedural  techniques  arc  used  to  provide  phys- 
ical protection  for  areas  where  compartmented  data  is  used;  to  insure 
personnel  jxissess  appropriate  clearance;  to  receive,  control,  disseminate, 
and  access  compartmented  data;  and  to  protect  the  compartmented  data 
during  transmission.  The  addition  of  automated  techniques  to  increase 
the  reliability  of  these  procedures  could  be  viewed  as  an  attempt  to 
increase  the  security  of  automated  systems  over  that  of  manual  systems. 


'0 

Analogous  techniques  used  in  the  two  systems  are  (lj  data 
storage  procedures,  (2)  data  access  procedures,  (3)  data  access 
accounting,  M)  storage  check  procedures,  and  (5)  inventory  pro- 
cedures. Data  stored  in  a manual  system  is  protected  by  three 
combination  safe  locks  with  125,000  possible  combination  cedes. 

In  an  automated  system,  data  storage  is  based  upon  access  codes 
with  -1,000,000,000  possible  combinations  in  a normal  32  bit  code 
word.  'Hie  probability  of  data  access  through  other  than  code  word 
knowledge  is  considerably  less  in  an  automated  system  than  in  the 
present  manual  system. ^ 

Access  to  data  in  a manual  system,  is  based  on  access  lists  and 
personal  identification.  In  an  automated  system,  access  to  data  and 
files  is  based  upon  user/terminal  profile  tables  and  the  requirement  to 
submit  'lie  proper  code  word. 

Accountability  for  data  access  in  the  manual  system  is  performed 
by  document  sign-out.  In  the  automated  system,  t lie  access  logs  and 
security  program  reports  can  be  reviewed  daily,  or  more  often  if  desired. 
Periodic  inventory  is  used  in  the  manual  systems  to  insure  documents 
have  not  been  lost  oi  stolen.  The  same  can  be  accomplished  in  the  auto- 
mated systems.  'Ihe  files  are  periodically  reviewed,  the  security  logs 
examined,  and  the  check  sum  totals  used  to  insure  data  integrity. 

Table  2 summarizes  the  above  techniques.  The  common  techniques  for 
storing  and  processing  compartmented  intelligence  in  a manual  and  auto- 
mated system  are: 

a.  Physical 

b.  Personnel 

c.  Communication 

d.  Administrative 

It  is  evident  that  even  with  the  use  of  modest  security  tech- 
niques in  an  automated  system,  a greater  level  of  security  is  possible 
than  with  those  techniques  available  in  the  manual  system. 
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I1)o  I Ills  I -'OKS it;  environment  has  been  designed  to  prevent  del  ib- 
oi.ito  penetration  from  outside  the  system.  Inadvertent  or  accidental 
disclosure  of  compart men  ted  data  has  been  identified  as  the  problem. 

ltie  software  controls  discussed  in  Chapter  II  were  designed  to 
prevent  accidental  disclosure.  The  security  kernel  is  the  area  where 
all  security- related  software,  profiles,  and  lists  are  stored.  Software 
must  be  verified  correct  and  a system  certified  before  an  acceptable 
risk  exists.  Chapter  IV,  Conclusions  and  Recommendations,  discusses 
\ iification  and  certification  of  the  security  software.  Conclusions 
concerning  ASSIST  computer  security  at  FORSIG  are  discussed  and  recom- 
mendations are  made  to  bring  the  risk  of  penetration  to  an  acceptable 
level . 
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I nt induct  ion 

Since  currenl  personnel,  administrative,  physical,  and  communica- 
tion security  measures  in  force  are  approved  by  the  Defense  Intelligence 
Agency  in  processing  compartmentcd  data,  the  emphasis  is  placed  on  soft- 
ware security  control  techniques.  'Die  recommended  software  security 
.ontrols  do  not  depend  on  one  control,  such  as  a password,  to  provide 
security  for  the  system.  The  recommended  software  incorporates  a series 
of  controls,  each  supporting  the  other  as  a security  constraint,  with 
all  being  subject  to  a security  verification  program.  By  having  a series 
of  controls,  any  one  of  which  could  deny  access  to  a would-be-penctrator , 
the  probability  of  penetration  is  reduced  significantly.  Although  the 
probability  is  further  reduced  as  more  controls  are  added,  at  some  point 
the  additional  controls  are  not  cost  effective. 

Software  security  checks  are  designed  to  give  a consistent  verifi- 
cation of  both  identification  and  authorization  levels  of  the  individual 
user  and  terminal  each  time  an  attempt  is  made  to  access  the  system. 

The  design  of  the  software  is  such  that  j i has  the  capability  of  detecting 
any  accidental  or  intentional  security  breaches,  identification  of  the 
time  and  person  responsible  for  the  breach,  and  the  disconnection  of  that 
terminal . 

The  broad  objective  of  finding  ways  to  reduce  the  size  and  com- 
plexity of  security- relevant  software  is  a prerequisite  to  performing  a 
convincing,  logical  verification  that  a system  correctly  implements  the 
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claimed  access  constraints  when  used  with  a good  verification  technnjiiu. 
Without  such  verification  of  correctness,  a system  cannot  he  considered 
an  acceptable  risk. 

Verif icat ion 

Both  the  design  and  implementation  of  software  security  controls 

in  the  security  kernel  must  he  tested  to  insure  correctness,  i.  W. 

Dijkstra  designed  a process  called  structured  programming.  Diikstra's 

design  can  he  used  in  the  verification  of  the  operating  system;;'  soft- 
er 

ware  ‘ ’I he  structure  is  a top  down  approach  in  which  the  program  is 
built  one  level  at  a time.  "At  each  level,  the  next  lower  level  of  the 
structure  is  denoted  by  a name  (or  abstraction)  assigned  to  it.  For  each 
level,  a proof , in  which  the  denotation  of  each  name  denoting  a lower 
level  is  considered  to  he  correct,  is  constructed."'^’  Each  component  of 
the  operating  system  is  constructed  to  he  self-contained,  and  to  operate 
correctly.  The  components  are  then  able  to  communicate  freely  and  with- 
out possibility  of  interference.  Since  each  step  of  the  construction 
process  is  proven  to  operate  correctly,  this  constitutes  a "proof"  that 
the  system  as  a whole  will  operate  correctly.  The  programs  that  result 
from  this  process  have  a well  defined  structure  and  are  practically 
error  free  because  of  proving  correctness  is  proved  at  each  level. 

The  verification  process  must  be  accomplished  by  individuals  who 
are  authorized  access  to  compartmented  intelligence.  This  is  necessary 
because  it  is  the  software  that  will  control  access  to  compartmented 
data.  It  is  virtually  inpossible  to  prove  that  the  software  is  100  per- 
cent correct,  counteracting  all  threats  under  all  conditions.  It  is 
also  impossible  to  prove  that  all  persons  having  access  to  compartmented 
data  will  not  compromise  this  information  in  some  manner.  But  DoD  has 


,u  cept  od  I hi'  condition  that  after  an  individual  undergoes  an  expanded 
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background  investigation,  the  risk  is  acceptable.  It  is  possible  to 
test  software  foi  known  threats  and  prove  its  correctness.  Software 
properly  structured,  proven,  and  tested  can  also  be  certified  as  an 
acceptable  risk. 

Cert i fication 

Software  certification  involves  proving  that  the  security  kernel 

is  always  invoked,  is  tamper  resistant,  and  does  validate  each  and  every 

r , 37 

reference  in  the  system. 

'Ihe  system  mast  be  tested  by  expert  technical  personnel  having 
access  to  the  design  and  specifications  of  the  entire  system.  Access  to 
such  material  would  not  be  in  the  hands  of  a potential  penetrator  because 
this  information  would  be  controlled  as  compartmcnted  data.  The  strict 
controls  are  imposed  because,  the  information  on  software  and  system 
specification  is  the  heart  of  the  protection  features  for  the  compart - 
mented  data  contained  in  the  system.  "Certification  should  be  performed 
by  a group  other  than  that  responsible  for  the  design,  construction,  or 

70 

maintenance  of  an  operational  system.”'  This  outside  group  of  experts, 
given  all  the  system's  specifications,  will  design  a plan  of  attack 
against  the  security  constraints  enforced  by  the  software.  A sufficient 
amount  of  time,  approximately  three  months,  should  be  given  to  plan  the 
attack.  After  the  attack  is  planned,  the  team  of  experts  should  initiate 
the  attack  on  the  site.  After  the  attack  is  implemented  with  no  success- 
ful penetration,  the  system  should  be  certified  as  posing  an  acceptable 
risk  level. 

'Ihe  concept  of  attempted  system-penetration  as  a means  rr  certi- 
fying a system  is  not  new.  "In  1070,  a group  of  Rand  researchers, 


,v> 

.1.  Anderson , I'.  Hi  Inn-,  and  I).  Hoi  1 ingwort 1, , demonstrated  the  practicality 
of  • t * -in  ponetr.it  ii  n as  a tool  for  cvaluat  mg  the  effectiveness  and 
adequacy  ol  imp  1 oinent oil  data  security  safe  giiaid."^' 

The  tltoroughnrs-  of  the  lest  i-  limited  hy  the  availability  of 
manpower  and  money.  The  security  kernel  contains  all  software  security 
functions  necessary  to  minimize  the  certification  process  by  localizing 
what  has  to  be  certified. 

In  order  to  accelerate  the  testing  cycle  and  reduce  the  amount 
of  manpower,  the  use  of  automated  verification  techniques  which  assist 
ii  iiie  certification  of  the  operating  s>stems  and  application  programs 
am  simmarized  below. 

1.  Automatic  analysis  of  ihc  anatomy  of  an  operating  system, 
i.e.,  identifying  all  "testable  segments"  (sequence  of  axle  that 
has  only  one  input  and  one  exit)  and  all  transfers  between  seg- 
ments . 

2.  Quantifying  the  thoroughness  of  the  testing  by  instru- 
menting the  operating  system  to  measure  the  fraction  of  segments 
and  transfers  exercised  in  each  test  and  cumulatively  over  a series 
of  tests. 

3.  Identifying  the  portions  (segments  and  transfers)  not  tested 
in  a scries  of  test  cases  and  indicating  the  input  data  needed  to 
exercise  them. 

•1.  Identifying  all  entrances  to  sensitive  areas  of  an  operat- 
- ing  system. 

f>.  Identifying  all  interrupts  and  the  logical  paths  they 
can  initiate. 

6.  Investigating  other  characteristics  of  operating  systems 
for  suitability  for  automatic  analysis  and  quantitative  measure- 
ment, c.g.,  time  dependent  processes .4b 

The  test  will  determine  t he  degr»  e to  which  the  system  conforms 
to  the  security  requirements.  If  any  changes  or  modifications  to  the 
system  occur,  then  the  entire  certification  process  must  he  conducted 
again.  This  is  the  only  way  an  acceptable  security  mode  of  operation 
can  exist. 
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III*'  A.*.:  II  |'ii  'I  l*i’,  | ii  e veil  ( i ug  <1  i -.(  Iumh.  of  compa  rl  ii’<  hi  i J • I ; i ( . ■ 
to  analysts  who  do  not  possess  the  necessary  access,  has  been  • iscussed 
by  an  ex.uninat ion  of  the  Intelligence  Data  Handling  Site  (Til IS)  it 
forces  Command  Intelligence  droop  (TORSIG) . Security  in  a multiuser, 
multilevel  system  is  not  an  impossible  task.  However,  the  term  "security" 
has  to  be  modified  to  connote  an  acceptable  level  of  security.  No  sys- 
tem is  100  percent  secure,  hut  a system  may  possess  security  features 
that  reduce  the  risk  of  penetration  to  an  acceptable  level. 

mis  TORS I G has  established  and  approved  physical,  personnel, 
hardware,  administrative,  and  communications  security  measures  and 
presently  processes  compartmcntcd  data  in  a system-high  mode,  lo  process 
in  an  open  mode,  software  security  mast  be  implemented  that  would  prevent 
users  without  a need  to  know  from  access  to  compartmcnted  data.  An  open 
mode  of  operation  allows  all  analysts  to  process  simultaneously  regard- 
less of  their  level  of  access. 

With  one  major  exception,  the  security  environment  of  the  manual 
system  used  for  processing  compartmcnted  and  collateral  data  simultan- 
eously  is  the  same  security  environment  as  in  an  automated  system.  In 
the  manual  system  the  special  security  ofricer  enforces  security,  while 
* in  the  automated  system  the  soltwaie  enforces  security  constraints.  Hie 

use  of  a special  security  officer  is  currently  accepted  as  a means  of 
providing  an  acceptable  security  risk.  Software  has  not  been  accepted  as 
an  acceptable  risk.  Hie  special  security  officer  is  human  and  thereby 
capable  of  mistakes.  Software,  pioperly  constructed,  reacts  to  each 
situation  defined  in  tin  same  manner  each  and  every  time,  unless  there  is 
a failure  within  the  software,  hut  the  software  design  is  constructed  to 
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have  clifi  1 • .iml  ( Mimtcr  checks  to  pro  vent  I'rmr.  Hie  prohahi I i 1 v of  ,-i  1 1 
controls  failing,  it  unco,  or  going  i ndetoc  toil,  is  extromoly  low.  Tlio 
•id  tw.iii'  dot",  not  c 1 mi  i tin  t o till'  mod  lot  a spooi.nl  security  officer. 

The  software'  is  the  special  security  officer's  representative  within  tin 
computer  and  performs  the  same  functions  as  that  of  the  special  security 
officer  in  a manual  system.  The  special  security  officer  is  still 
responsible  for  the  security  of  compartmented  data.  The  software  is  the 
tool  that  assists  him  in  his  duties. 

The  special  security  officer  is  responsible  for  receiving, 
img,  controlling,  and  disseminating  ompartmented  data.  The  section 
on  manual  and  automated  comparison  in  Chnptci  !r  compares  controls  and 
shows  that  automated  controls  increase  security.  Security  constraints 
governing  compartmented  data  are  contained  in  several  >oD  directives  and 
can  be  placed  in  the  software.  Security  is  provided  by  installing  suf- 
ficient software  barriers/controls  to  prevent  and/or  detect  penetration, 
or  by  requiring  such  a very  large  work  factor  to  penetrate,  that  a would- 
be  penctra tor  would  be  detected  by  co -workers  ;n  tic  terminal  area.  The 
controlled  physical  environment  surrounding  the  terminals  and  computer 
at  ITUS  ic.  greatly  aid  in  the  detection  of  a del  il  orate  penetration  from 
within,  although  not  eliminating  the  possibility  of  an  attempt. 

Tito  various  software  control  the  areas  of  access,  input /output , 
residual  and  audit  trail,  and  also  build  upon  the  established  physical, 
po sound,  administrative,  and  communications  security  moa' tires  already 
at  I'ORSIf!  to  bring  the  i isk  of  penetration  to  an  acceptable  level,  but 
software  is  only  ; good  as  the  individuals  who  design  and  construct  it. 

It  is  therefore  imperative  that  the  software  be  careful!'’  constructed 
and  tesicd  before  implementation.  After  the  consl  ruci  mg . testing,  and 
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implement 

ing  of  software, 

the  entire  system  must  be 

tested  by  a 

team  of 

In  hn  u a 1 

expert  ■.  to  iirun 

r the  system  conforms  to 

thi>  security 

con 

strand'.  | 

placed  upon  i t . 

The  ASSIST  software  sum 

i ty  coni  role 

dec ijpi  is 

listed  and  discussed  in  Chapter  II  and  identifies  the  controls  necessary 
for  acceptable  software  security  at  FORSIC. 

Once  controls  are  designed,  they  must  be  protected  from  all  users, 
ilie  security  kernel  discussed  in  Chapter  II  offers  an  ideal  location  for 
software  security  controls.  Hie  kernel  protects  the  software  from  being 
modified,  flic  kernel,  the  center  of  the  software  security-  controls, 

. .usurcs  compartmented  data  is  not  compromised. 

Research  indicates  that  it  is  possible  to  build  an  adequately- 
secured  system  for  a particular  operational  environment.  With  properly 
struetured  software  controls  that  have  been  subjected  to  an  intensive 
and  unsuccessful  penetration  attack,  the  IDHS  FORSIG  offers  an  existing 
environment  that  can  be  certified  as  possessing  adequate  security. 

hocommenda  t i ons 

Idle  following  statements  summarize  the  software  recommendations 
regarding  the  multilevel  security  problem  described  in  Chapter  III  at 
t lie  ASSIST  intelligence  data  handling  site: 

1.  Implement  software  security  controls  listed  on  pages  Id  and 
13.  The  software  mist  be  constructed  carefully  in  order  to  prevent  errors 
in  the  programs  that  could  defeat  the  constraints  to  be  enforced  by  the 
software. 

Access  controls  arc  the  first  software  controls  the  user  encoun- 
ters. They  are  of  primary  importance  because  these  controls  identify  who, 
where,  and  what  access  is  authorized  throughout  the  system.  Special 
emphasis  should  he  given  to  controls  numbered  one,  two,  and  ten,  on 
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pages  12  and  13.  These  controls  identify  the  user/terminal  and  establish 
the  access  rights.  Correct  identification  of  the  user/terminals  is  of 
prime  importance  because  it  is  the  location  of  the  terminal,  and  the 
user's  clearance  that  governs  the  access  rights. 

After  the  access  rights  are  identified,  they  accompany  each 
transaction  and  restrict  access  to  only  that  data  authorized.  Input/ 
output  controls  insure  that  the  user  performs  only  those  operations 
authorized.  Once  the  process  is  conplete,  I/O  controls  release  data  to 
only  those  user/terminals  processing  the  necessary  clearance  level.  The 
m ji  emphasis  should  be  placed  on  input/output  control  numbers  two,  three, 
five,  seven,  and  eight  on  page  13.  These  numbered  designs  arc  concerned 
with  classification  and  release  of  classified  (compartmcnted)  data  to 
those  users  not  appropriately  cleared. 

The  control  of  residual  data  is  necessary  because  many  users  are 
assigned  the  same  memory  space.  If  this  space  is  not  erased  there  is  a 
possibility  a user  may  gain  access  to  data  to  which  he  is  not  authorized. 

The  audit  trail  is  used  to  verify  that  the  system  is  operating 
correctly  and  that  it  is  being  used  properly.  The  system  must  be  able 
to  identify  all  attempted  violations,  accidental  or  deliberate.  All  the 
logs  in  Table  2,  page  17,  are  necessary  to  provide  the  system  security 
officer  and  special  security  officer  with  sufficient  information  to 
insure  continuing  security. 

Special  emphasis  should  be  given  to  design  number  five  under 
audit  trail,  page  13.  The  internal  software  and  hardware  checks  would  be 
a means  of  verifying  their  continuing  correct  operation.  The  check  would 
be  inserted  into  the  system  as  a program  imitating  a user.  The  test  pro- 
gram should  attempt  to  violate  security  controls,  ;uid  then  verify  that 
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the  system  gives  the  correct  response  in  each  case.  The  program  must 
communicate  with  the  system  as  a normal  user  would.  Communications  of 
this  type  would  require  that  the  program  be  routed  to  a remote  location, 
and  hack  to  the  computer  again.  Hie  program  routing  would  also  check 
channel  controls.  livery  time  the  test  program  violates  security  con- 
straints, t he  system  security  officer  must  he  notified  and  the  system's 
operation  terminated  until  the  problem  can  be  resolved. 

Implementation  of  software  controls  at  THIS  FORSIG  will  enhance 
the  security  posture  of  that  ASSIST  site.  Extreme  care  must  be  taken  in 
constructing  and  testing  the  designed  software. 

2.  Incorporate  software  security  controls  into  a security  kernel. 
The  objective  of  the  security  kernel  is  to  integrate  all  security  related 
functions  into  one  part  of  the  operating  system.  The  collection  of  all 
security  functions  into  a central  area  aids  in  the  protection  and  verifi- 
cation of  their  correctness.  The  security  kernel  has  initial  control 
over  queries  and  transactions,  and  every  user  is  forced  to  rely  upon  it. 
The  security  kernel  enforces  the  security  constraints  on  the  use  of  files 
and  the  release  of  data.  The  functions  of  the  kernel  are  listed  on  page 
20.  It  is  the  performance  of  these  functions  that  insures  that  the  secur- 
ity constraints  are  enforced.  To  insure  that  the  kernel  is  able  to  per- 
form properly,  two  conditions  must  exist.  First,  the  security  kernel 
must  be  tamper-proof , allowing  only  authorized  personnel  to  modify  or 
alter  its  functions.  Second,  the  kernel  must  always  be  invoked.  No 
method  slmuld  be  open  for  a user  to  bypass  the  kernel.  Presently,  the 
kernel  is  hardware  dependent  and  the  appropriate  hardware  is  in  service 
at  the  IH  IS  FORSIG. 

7i.  Attempt  to  penetrate  the  system  as  a means  of  certifying  that 
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the  software  possesses  an  acceptable  security  risk.  'Hie  FORSIC  system 
is  presently  certified  to  process  compartment ed  data  in  a system-high 
mode.  Alter  software  security  controls  are  implemented  at  FORSIC,  a 
method  of  proving  that  the  system  enforces  security  constraints  must  he 
accompl i shed  before  certification,  by  providing  a team  of  experts  with 
all  the  possible  data  on  the  system,  and  allowing  them  to  attack  ihe  sys- 
tem witii  their  program,  an  advantage  is  created  which  would  normally  not 
exist  for  a would-be  penetrator.  It  must  be  emphasized  that  a change  or 
modification  of  the  software  wmuld  void  the  certification. 

This  thesis  has  identified  what  is  considered  to  be  the  minimum 
number  of  software  security  controls,  and  verification/ certification  tech 
niques  necessary  to  prove  their  correctness,  for  the  intelligence  data 
handling  site  at  Fort  Bragg,  North  Carolina.  The  total  ASSIST  environ- 
ment --physical  protection  of  the  facilities,  personnel  access  controls  to 
the  terminals,  limited  locations  of  nonappropriately  cleared  terminals, 
encryption  of  communication  lines,  along  with  the  software  security  tech- 
niques recommended  in  this  thesis- -contributes  to  reduce  the  risk  of 
penetration  and  bring  this  risk  to  an  acceptable  level. 
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